Feds Says Threat Actors Attacking SLTT, Critical Infrastructure, and Elections Organizations
The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning of threat actor malicious activity. The joint Alert (AA20-283A) says that advanced persistent threat (APT) groups are targeting federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and elections organizations by chaining vulnerabilities in their cyber attacks.
CISA says that although the threat actors compromised election support systems there’s no evidence that election data has been compromised.
“Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” says the alert.
In this campaign, threat actors exploit unpatched security vulnerabilities to compromise an IT network. Chaining vulnerabilities means that the threat actors use multiple security vulnerabilities, together during one cyber attack.
In this advisory CISA and the FBI warn that an advanced persistent threat group is chaining older security vulnerabilities along with the recent CVE-2020-147 Windows Netlogon. As far as the legacy exploits go, the threat actors mostly use Fortinet FortiOS VPN vulnerability CVE-2018-13379. This is a critical security vulnerability dating back to mid-2018. This security flaw allows an attacker to download system files via special crafted HTTP resource requests.
According to the advisory, other potential apps that could be targets are:
- Citrix NetScaler CVE-2019-19781
- MobileIron CVE-2020-15505
- Pulse Secure CVE-2019-11510
- Palo Alto Networks CVE-2020-2021
- F5 BIG-IP CVE-2020-5902
“CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised,” says the alert.
Once a network is compromised, the threat actors use stolen login credentials along with virtual private networks (VPN) and Remote Desktop Protocol (RDP) programs to access the data.
The attacks are targeting federal and state, local, tribal, and territorial (SLTT) government networks as well as other organizations.
CISA recommends that system administrators update all virtual private networks and remove any unused VPN accounts. All network infrastructure devices and remote work devices should also be updated with the latest software patches.
The Advisory also recommends requiring multifactor authentication (MFA) for all VPN logins.